Offline cached ldap and krb logins with SSSD and Active Directory

SSSD from the Fedora Project provides NSS and PAM mechanisms for cached network credentials (Notebook users can still login when disconnected). SSSD is available in the main repos for both Fedora and Ubuntu.

The following sssd.conf worked for our environment. (Making it work with FreeIPA or Open LDAP and Kerberos is far less fiddly).

domains = MYDOMAIN
services = nss, pam
config_file_version = 2
sbus_timeout = 30
offline_credentials_expiration = 0
description = MYDOMAIN AD Server
#debug_level = 9
enumerate = true
ldap_referrals = false
min_id = 1000
access_provider = permit
id_provider = ldap
chpass_provider = krb5
ldap_uri = ldap://my.ldap.server
ldap_search_base = dc=my,dc=ad,dc=domain
ldap_id_use_start_tls = False # TLS/SSL is supported

# If you do not have anonymous binds enabled 
# User that can read from AD, any normal user should work. Update as necessary
ldap_default_bind_dn =
# Leave this as password
ldap_default_authtok_type = password
# The ldap users actual password, update as necessary
ldap_default_authtok = password

# This is the important stuff for making AD LDAP work 
ldap_schema = rfc2307bis
ldap_user_principal = userPrincipalName
ldap_user_fullname = displayName
ldap_user_name = sAMAccountName
ldap_user_object_class = user
ldap_user_home_directory = unixHomeDirectory
ldap_user_shell = loginShell
ldap_user_principal = userPrincipalName
ldap_group_object_class = group
ldap_force_upper_case_realm = True

# I love this setting
override_homedir = /home/%u
# kerberos config
auth_provider = krb5
krb5_server =
krb5_realm = MY.AD.DOMAIN
# This will probably not work for changing passwords
krb5_changepw_principle = kadmin/changepw
krb5_ccachedir = /tmp
krb5_ccname_template = FILE:%d/krb5cc_%U_XXXXXX
krb5_auth_timeout = 15
cache_credentials = True


Ever since working with Debian I have wondered why more Linux distros don’t ship with exim on as the default mail client.

“exim -bt email@address” is reason enough

It is simpler to setup and easier to administer. If you want your fedora machine to send local email via Gmail, here is a guide.

One point to add, if you want root mail delivered somewhere, edit /etc/aliases and set an alias for root. Don’t forget to run “newaliases” when your done.

Changing the default Calendar app in gnome-shell

For various reasons I use Thunderbird as my calendaring app. One of Gnome-shells most obvious features is it’s clock applet front and centre on the screen, with it’s built in calendar. It pulls this information from Evolution.

This config change will get the applet to launch Thunderbird (or any  other app), but it will still not populate the calendar with entries from Thunderbird. But this single line, will mean that Thunderbird launches when you click on the in-built calendar.

$ gsettings set 
exec 'thunderbird'

To populate the calendar widget there is an extension for Thunderbird called: Evolution Mirror which should populate the evolution db with your Thunderbird data. You will need to install a couple of additional packages to make it work, in F16:

$ sudo yum install gnome-python2-extras gnome-python2-evolution

Corrupted drive, missing superblock,

I was passed a currupt LVM volume today and asked to recover it. It was completely screwed. “dumpe2fs” could not give me a list of superblocks for me to pass to fsck.

I could probably calculate where the superblocks should be on the filesystem by hand if I needed to, but it was much simpler than that:

# mkfs.ext3 -n

The -n is a dry run. It will show me what would happen but not actually touch the drive. This will also show you where the superblocks should be. Pass one of these to you fsck command. If the previous partition had been created with a set of unique options this may not work. But your filesystem’s hosed anyway so it may be worth the punt.

If your filesystem is completely screwed though you may recover little. And what you do recover will probably be sitting in “lost+found”, fsck will recover your filesystem but it makes no guarantee about recovering files.

Cyanogenmod on a Nook

This process has been documented and re-documented so many times so this will not be a technical entry. But the process works and it is brilliant.

What I do want to say is that the official instructions from the Cyanogenmod wiki work, and are simpler than anything else I read. So follow them.

The Nook Color is a tablet disguised as an ereader. Spec wise it is lacking a few things, but the build quality is brilliant and it is cheap.

I ordered a refurbished unit from ebay for $199.00. At the time this made it about $190.00 AUD. They only ship the the US so I sent it to an address provided by ComGateway. I expected to be billed for about $30 shipping to Australia, but ComGateway charged me the cost of a 2kg package. So it came in at just over $40. Of course I am not about to argue when my Nook is sitting in their warehouse. The other disappointing thing for me was that is sat in Portland at the ComGateway address for 4 days before it was shipped.

But it was shipped and there were no problems, it was just more expensive and slower than I expected.

If you want to use the Nook with the original firmware (though why would you) first register an account with B&N online using a US address, also skip the credit card setup, unless you have a US credit card.

But with CM7 this thing is brilliant. Fast and a whole bunch more functional. I no-longer have tablet envy.

No Updates

My lack of documentation and blog entries is disturbing.

I have been doing things, but they have been un-interesting, at least from a blog point of view. Which I do find troubling.

Uninteresting work tends to make me a little restless.

When a couple of current projects come to an end there may be some interesting things to blog.

Gnome 3.0 Fallback with Compiz

The Gnome 3.0 Fallback mode is one of the nicest Classic Gnome interfaces available. With compiz I think it may be one of the nicest gnome desktops bar none.

And it is easy to get compiz working with it. Really easy. One command easy.

# yum install compiz compiz-gnome compiz-manager compiz-plugins main

Now one you enter your username at GDM you will be presented with a pull-down from here you can select. “Classic GNOME with Compiz”.

Remove the Accessibility menu in Gnome 3

By default gnome-shell has an accessibility menu visible in the shell. I get that this is sensible by default. But I don’t need it and it bothers me that I can’t remove it.

User fpmurphy over at fedoraforum has posted a shell extension that removes the offending icon.

I have created a tarball of the extension. Download it here and extract it to “~/.local/share/gnome-shell/extensions”

$ cd ~/.local/share/gnome-shell/extensions
$ unzip

Then restart the shell. Hit “Alt+f2”, and type “r”.

Mildly Useful Stuff